1 Billion Messages Not Served

Posted by Adam Swidler, Product Marketing Manager, Postini

Postini is a recent addition to Google that offers solutions that help enterprises make their existing email infrastructure more secure, compliant and productive. We process email for more than 35,000 businesses and 12 million end users, and block about 1 billion messages per day, which is a good sample size to report on global spam trends for businesses. In 2007, Postini data centers recorded the highest levels of spam and virus attacks in history. Much of this was fueled by an increase in the number of botnet computers being used to send spam. Botnets are networks of infected PCs, usually with broadband Internet connections that are co-opted by hackers and used to send spam and virus attacks. Often they are compromised without their owner's knowledge. We started to see these botnets kick in back in September of 2006. Since that time, spam volumes are up more than 163 percent. We saw a peak of activity in October 2007 where volume was a 263 percent increase from September 2006 and Postini blocked 47 billion spam messages, more than 320 Terabytes of spam (now that's a lot of spam). The average unprotected e-mail user would have received 32,000 spam messages in their in-boxes so far this year. Talk about lost productivity. In fact, Nucleus research estimates unchecked spam can cost a company up to $742 per user.

But what's really different this year is the innovation with which spammers attempted to evade detection by spam filters. In the early part of 2007, image spam was used heavily, with the spam content (such as "pharmaceuticals for sale," "hot stocks," etc) contained in an image attached to the message. Over the course of the year image spam declined and was replaced by PDF spam, document and spreadsheet spam and even multimedia spam. That's right - an audio file promoting a particular stock. We saw examples of compressed and password protected emails as well. All this effort to deliver spam content in email attachments had a significant impact on the size of spam overall. Taking 7.5 Kb as an average spam message size, an organization with 100 employees (that didn't use a hosted solution to block spam outside the firewall) would have wasted 22Gb of storage and bandwidth. Who wants that sitting on their servers?

The chart below shows the trend of the volume of spam rising throughout the year (blue line) and the peaks in the size of spam (orange line):



In Europe, spam volume was also up in 2007 and the percentage of email that is spam increased from 70% to 90% as shown below:




Virus attacks in 2007 were also at record levels and showed similar techniques to what we observed for spam email. In January 2007, the high profile "Storm" botnet got its start with an email that was spammed out with an executable file attached. In April and May, we saw virus emails with password protected executables attached and the password contained in the body of the email. In the late summer, we saw a huge spike of Storm virus attacks that used a blended threat - an email message with a URL that took the user to an infected website that then downloaded the Storm malware to the PC. The linkage between spam and viruses continued in 2007, with messages being spammed out from botnets with virus attacks intended to add more computers to the botnet. The chart below shows the Storm virus activity for 2007:



For 2008, this game of chess will continue, and the stakes may become even higher. While the number of threats may not increase, the complexity will. Businesses will be challenged to identify more types of malicious content and protect sensitive information against new methods of social engineering. So what does the forecast for next year looks like? Here are some of the trends we expect to see coming to a business near you in 2008:

• Spam volume will stabilize and could actually decrease in 2008 as spam attacks become more targeted and less of a pure volume game. As more and more spam content will be contained in attachments, we do expect that the overall size of spam will continue to increase.

• Virus attacks will continue to blend with spam and will focus more on identity theft. They will utilize increasingly sophisticated social engineering techniques that will be related to specific current events such as the Olympics, the Super Bowl, natural disasters etc. Virus attacks will become more targeted toward executives at specific companies and will appear to come from legitimate business agencies. Their goal will increasingly be to steal corporate and government data. We expect to see several of these types of attacks, leading to data breaches from commercial enterprises and government agencies. This may force some companies to modify their email practices, such as financial institutions not including any links in their email communications to customers.

• More businesses and organizations will implement specific policies that address outbound content in email and will deploy systems to monitor and enforce those policies to prevent sensitive or confidential data leaks.

• The growing need for managing consumer data privacy and retention policies globally will drive growth of encryption and archiving and hosted solutions will play a major role in reducing the cost and complexity.

• Identity theft attacks will increasingly be launched through web sites, especially those that enable user created content such as social networking sites, blogs and auction sites.

If you’d like to know more about Postini’s spam and virus trends, you can read our weekly summaries on the Postini Community Forum in the Threat Advisory board.